X509证书基本概念

这篇具有很好参考价值的文章主要介绍了X509证书基本概念。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

X509证书使用数字签名将身份绑定到公钥。通常包含两种类型证书:一种是CA证书,CA证书可以颁发其他证书,最上层的CA证书也称为根证书,其他CA证书称为中间CA证书或者子CA证书。另一种是实体终端证书,这种证书不能颁发其他证书。

X509 V3证书格式

X509证书基本概念

证书Subject name

由上面证书结构我们可以知道X509证书包含一系列的属性,其中有一个就是subject name,这个属性主要用来表明该证书的部门名称,同时通过该字段我们也可以验证我们当前证书是不是我们需要访问的链接的证书。其包含了如下常用属性对

属性 全称
CN CommonName
OU OrganizationalUnit
O Organization
L Locality
ST State or ProvinceName
C CountryName
emailAddress email address
一个简单例子如下:
 CN=Sample Cert, OU=R&D, O=Company Ltd., L=Dublin 4, S=Dublin, C=IE

编码格式

x509证书主要有2种编码格式,一种是DER格式,另一种是PEM格式。

1. DER格式
二进制格式。der类型的不用在编码解码,直接就是二进制的数据可以直接使用

2.PEM格式
PEM格式的文件是普通的文本文件,实际内容进行了某些编码(如Base64编码)数据要根据base64编码解码后,得到的数据需要进行增加或裁剪特殊字符-、\n、\r、begin信息、end信息等。通常PEM文件都包含不同的页眉页脚。
证书签名请求CSR的格式如下

-----BEGIN CERTIFICATE REQUEST----
...
-----END CERTIFICATE REQUEST-----

RSA私钥文件格式如下

-----BEGIN PRIVATE KEY----
...
-----END PRIVATE KEY-----

证书文件格式如下

-----BEGIN CERTIFICATE----
...
-----END CERTIFICATE-----

文件扩展名

扩展名 编码格式
.pem 采用pem编码格式文件
.der 采用der编码格式文件
.crt 可能是pem编码,也可能是der编码。但大多数情况下为pem编码的证书
.cer 可能是pem编码,也可能是der编码。但大多数情况下为der编码的数字证书
.p7b/.p7c PKCS 7数据格式,签名文件,只包含证书文件
.p12 PKCS12格式,通常包含了私钥private key和公钥key(certificate)

openssl生成证书

1.生成RSA私钥

 openssl genrsa -out privatekey.pem 2048

2. 使用rsa私钥生成公钥

 openssl rsa -in privatekey.pem -pubout -out publickey.pem

3. 根据私钥请求生成证书签名请求(CSR)

openssl req -new -key privatekey.pem -out csr.pem -subj "/C=CN/ST=GuangDong/L=GZ/O=HF/OU=dev/CN=com.test/emailAddress=mary@163.com"

4.生成CA证书
我们这里是指自签CA证书
a.生成ca私钥

openssl genrsa -out ca.key 2048

b.生成CA自签名证书

openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=Guangdong/L=GZ/O=HF/OU=dev/CN=ca/emailAddress=mary@163.com"

c.使用CA签名证书对我们签名

openssl x509 -req -days 3650 -in csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out mycert.crt

5.查看证书
a. 查看根证书

openssl x509 -in ca.crt -noout -text   

b.查看生成的证书

openssl x509 -in mycert.crt -noout -text

证书实例

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:04:54:08:f9:ff:10:92:e1:69:fe:49:8f:78:d3:6d:dc:47
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jul 15 08:01:49 2021 GMT
            Not After : Oct 13 08:01:48 2021 GMT
        Subject: CN = *.wikipedia.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:a5:9a:47:b2:d3:fc:a7:df:de:f6:cb:45:62:0a:
                    d3:c1:a7:38:de:20:bd:d7:10:7d:58:73:de:8d:a1:
                    99:70:0c:dd:ab:91:3f:0e:83:97:1b:4f:a2:99:f3:
                    f8:30:73:ef:da:be:91:25:18:7a:d6:da:bf:e5:e9:
                    72:a3:41:31:7a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                08:0E:29:26:07:E9:B4:5B:63:2D:86:5D:F6:E2:5A:8C:CD:6A:D0:A7
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Jul 15 09:01:49.274 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:88:0F:F3:F1:BC:A3:AD:B8:7B:FD:C2:
                                A6:6A:4B:7C:1F:35:18:7B:3F:18:F6:43:29:46:F6:C2:
                                DD:15:63:C1:5D:02:21:00:CF:E0:1F:3D:E7:4A:37:C6:
                                CD:E5:BC:CD:99:FE:9C:F1:F7:EA:04:2D:97:DA:C2:74:
                                A6:30:37:57:F0:32:82:73
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                    Timestamp : Jul 15 09:01:50.105 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:37:BC:8F:6A:BA:FA:AC:0B:3B:4C:3F:C8:
                                C2:AB:EA:3B:60:DE:A8:AB:44:72:E5:43:6A:E0:0A:24:
                                32:49:7F:30:02:20:11:AF:F7:67:43:81:07:C7:FB:B6:
                                89:55:0B:74:58:61:76:FB:62:FF:F4:C9:D0:C6:A7:43:
                                63:98:4C:F5:4C:7E
    Signature Algorithm: sha256WithRSAEncryption
         8e:f4:d1:85:9c:96:e8:63:d0:38:fd:7a:cc:d5:ad:b2:06:b4:
         4a:cf:3d:5a:b9:c2:28:3d:58:57:8a:55:42:ec:99:d3:ca:4f:
         ec:97:c0:10:73:77:43:5c:74:be:7e:2a:89:d8:fa:86:2f:8d:
         d3:57:99:67:3a:f6:28:6c:d1:26:29:ce:cf:7e:96:bd:34:0e:
         86:98:b3:0b:2e:28:dc:5b:46:77:32:a7:d9:b1:e6:de:e9:9a:
         2b:5d:03:f2:e0:07:12:03:d9:03:a8:ef:47:60:16:55:2a:32:
         53:c9:b3:4c:54:99:e0:98:d6:5f:1a:94:1c:6c:c5:e9:13:f7:
         08:c7:b6:b5:dd:d8:2b:b5:b7:2e:ba:cb:0b:2d:be:50:c6:85:
         0d:22:46:5e:e6:5f:b7:d4:86:45:d8:a4:bf:80:18:6e:46:96:
         d1:76:93:f5:40:e2:15:18:be:e0:cb:5f:cd:d0:4f:fa:ca:76:
         68:ba:94:c4:1d:1a:0e:3d:3b:ef:ed:1e:29:38:1d:22:bb:8b:
         96:71:55:b7:e4:8b:31:34:ec:63:09:e9:1c:d8:2f:f8:9a:b7:
         78:dc:33:c9:4e:84:85:03:0b:c5:52:af:9e:b0:6a:dc:fe:9e:
         89:2f:17:40:69:74:74:65:37:38:b4:28:23:01:01:81:19:23:
         23:cd:75:a0

参考文档

https://www.openssl.org/docs/man1.1.1/man1/genrsa.html
https://www.openssl.org/docs/man1.1.1/man1/rsa.html
https://www.openssl.org/docs/man1.1.1/man1/x509.html
https://www.openssl.org/docs/man1.1.1/man1/req.html文章来源地址https://www.toymoban.com/news/detail-428959.html

到了这里,关于X509证书基本概念的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包